extensions.c 68 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933
  1. /*
  2. * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #if defined(__TANDEM) && defined(_SPT_MODEL_)
  10. # include <spthread.h>
  11. # include <spt_extensions.h> /* timeval */
  12. #endif
  13. #include <string.h>
  14. #include "internal/nelem.h"
  15. #include "internal/cryptlib.h"
  16. #include "../ssl_local.h"
  17. #include "statem_local.h"
  18. static int final_renegotiate(SSL_CONNECTION *s, unsigned int context, int sent);
  19. static int init_server_name(SSL_CONNECTION *s, unsigned int context);
  20. static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent);
  21. static int final_ec_pt_formats(SSL_CONNECTION *s, unsigned int context,
  22. int sent);
  23. static int init_session_ticket(SSL_CONNECTION *s, unsigned int context);
  24. #ifndef OPENSSL_NO_OCSP
  25. static int init_status_request(SSL_CONNECTION *s, unsigned int context);
  26. #endif
  27. #ifndef OPENSSL_NO_NEXTPROTONEG
  28. static int init_npn(SSL_CONNECTION *s, unsigned int context);
  29. #endif
  30. static int init_alpn(SSL_CONNECTION *s, unsigned int context);
  31. static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent);
  32. static int init_sig_algs_cert(SSL_CONNECTION *s, unsigned int context);
  33. static int init_sig_algs(SSL_CONNECTION *s, unsigned int context);
  34. static int init_server_cert_type(SSL_CONNECTION *sc, unsigned int context);
  35. static int init_client_cert_type(SSL_CONNECTION *sc, unsigned int context);
  36. static int init_certificate_authorities(SSL_CONNECTION *s,
  37. unsigned int context);
  38. static EXT_RETURN tls_construct_certificate_authorities(SSL_CONNECTION *s,
  39. WPACKET *pkt,
  40. unsigned int context,
  41. X509 *x,
  42. size_t chainidx);
  43. static int tls_parse_certificate_authorities(SSL_CONNECTION *s, PACKET *pkt,
  44. unsigned int context, X509 *x,
  45. size_t chainidx);
  46. #ifndef OPENSSL_NO_SRP
  47. static int init_srp(SSL_CONNECTION *s, unsigned int context);
  48. #endif
  49. static int init_ec_point_formats(SSL_CONNECTION *s, unsigned int context);
  50. static int init_etm(SSL_CONNECTION *s, unsigned int context);
  51. static int init_ems(SSL_CONNECTION *s, unsigned int context);
  52. static int final_ems(SSL_CONNECTION *s, unsigned int context, int sent);
  53. static int init_psk_kex_modes(SSL_CONNECTION *s, unsigned int context);
  54. static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent);
  55. #ifndef OPENSSL_NO_SRTP
  56. static int init_srtp(SSL_CONNECTION *s, unsigned int context);
  57. #endif
  58. static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent);
  59. static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent);
  60. static int final_maxfragmentlen(SSL_CONNECTION *s, unsigned int context,
  61. int sent);
  62. static int init_post_handshake_auth(SSL_CONNECTION *s, unsigned int context);
  63. static int final_psk(SSL_CONNECTION *s, unsigned int context, int sent);
  64. static int tls_init_compress_certificate(SSL_CONNECTION *sc, unsigned int context);
  65. static EXT_RETURN tls_construct_compress_certificate(SSL_CONNECTION *sc, WPACKET *pkt,
  66. unsigned int context,
  67. X509 *x, size_t chainidx);
  68. static int tls_parse_compress_certificate(SSL_CONNECTION *sc, PACKET *pkt,
  69. unsigned int context,
  70. X509 *x, size_t chainidx);
  71. /* Structure to define a built-in extension */
  72. typedef struct extensions_definition_st {
  73. /* The defined type for the extension */
  74. unsigned int type;
  75. /*
  76. * The context that this extension applies to, e.g. what messages and
  77. * protocol versions
  78. */
  79. unsigned int context;
  80. /*
  81. * Initialise extension before parsing. Always called for relevant contexts
  82. * even if extension not present
  83. */
  84. int (*init)(SSL_CONNECTION *s, unsigned int context);
  85. /* Parse extension sent from client to server */
  86. int (*parse_ctos)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  87. X509 *x, size_t chainidx);
  88. /* Parse extension send from server to client */
  89. int (*parse_stoc)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  90. X509 *x, size_t chainidx);
  91. /* Construct extension sent from server to client */
  92. EXT_RETURN (*construct_stoc)(SSL_CONNECTION *s, WPACKET *pkt,
  93. unsigned int context,
  94. X509 *x, size_t chainidx);
  95. /* Construct extension sent from client to server */
  96. EXT_RETURN (*construct_ctos)(SSL_CONNECTION *s, WPACKET *pkt,
  97. unsigned int context,
  98. X509 *x, size_t chainidx);
  99. /*
  100. * Finalise extension after parsing. Always called where an extensions was
  101. * initialised even if the extension was not present. |sent| is set to 1 if
  102. * the extension was seen, or 0 otherwise.
  103. */
  104. int (*final)(SSL_CONNECTION *s, unsigned int context, int sent);
  105. } EXTENSION_DEFINITION;
  106. /*
  107. * Definitions of all built-in extensions. NOTE: Changes in the number or order
  108. * of these extensions should be mirrored with equivalent changes to the
  109. * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
  110. * Extensions should be added to test/ext_internal_test.c as well, as that
  111. * tests the ordering of the extensions.
  112. *
  113. * Each extension has an initialiser, a client and
  114. * server side parser and a finaliser. The initialiser is called (if the
  115. * extension is relevant to the given context) even if we did not see the
  116. * extension in the message that we received. The parser functions are only
  117. * called if we see the extension in the message. The finalisers are always
  118. * called if the initialiser was called.
  119. * There are also server and client side constructor functions which are always
  120. * called during message construction if the extension is relevant for the
  121. * given context.
  122. * The initialisation, parsing, finalisation and construction functions are
  123. * always called in the order defined in this list. Some extensions may depend
  124. * on others having been processed first, so the order of this list is
  125. * significant.
  126. * The extension context is defined by a series of flags which specify which
  127. * messages the extension is relevant to. These flags also specify whether the
  128. * extension is relevant to a particular protocol or protocol version.
  129. *
  130. * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
  131. * the end, keep these extensions before signature_algorithm.
  132. */
  133. #define INVALID_EXTENSION { TLSEXT_TYPE_invalid, 0, NULL, NULL, NULL, NULL, NULL, NULL }
  134. static const EXTENSION_DEFINITION ext_defs[] = {
  135. {
  136. TLSEXT_TYPE_renegotiate,
  137. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  138. | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  139. NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
  140. tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
  141. final_renegotiate
  142. },
  143. {
  144. TLSEXT_TYPE_server_name,
  145. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  146. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  147. init_server_name,
  148. tls_parse_ctos_server_name, tls_parse_stoc_server_name,
  149. tls_construct_stoc_server_name, tls_construct_ctos_server_name,
  150. final_server_name
  151. },
  152. {
  153. TLSEXT_TYPE_max_fragment_length,
  154. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  155. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  156. NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
  157. tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
  158. final_maxfragmentlen
  159. },
  160. #ifndef OPENSSL_NO_SRP
  161. {
  162. TLSEXT_TYPE_srp,
  163. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  164. init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
  165. },
  166. #else
  167. INVALID_EXTENSION,
  168. #endif
  169. {
  170. TLSEXT_TYPE_ec_point_formats,
  171. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  172. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  173. init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
  174. tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
  175. final_ec_pt_formats
  176. },
  177. {
  178. /*
  179. * "supported_groups" is spread across several specifications.
  180. * It was originally specified as "elliptic_curves" in RFC 4492,
  181. * and broadened to include named FFDH groups by RFC 7919.
  182. * Both RFCs 4492 and 7919 do not include a provision for the server
  183. * to indicate to the client the complete list of groups supported
  184. * by the server, with the server instead just indicating the
  185. * selected group for this connection in the ServerKeyExchange
  186. * message. TLS 1.3 adds a scheme for the server to indicate
  187. * to the client its list of supported groups in the
  188. * EncryptedExtensions message, but none of the relevant
  189. * specifications permit sending supported_groups in the ServerHello.
  190. * Nonetheless (possibly due to the close proximity to the
  191. * "ec_point_formats" extension, which is allowed in the ServerHello),
  192. * there are several servers that send this extension in the
  193. * ServerHello anyway. Up to and including the 1.1.0 release,
  194. * we did not check for the presence of nonpermitted extensions,
  195. * so to avoid a regression, we must permit this extension in the
  196. * TLS 1.2 ServerHello as well.
  197. *
  198. * Note that there is no tls_parse_stoc_supported_groups function,
  199. * so we do not perform any additional parsing, validation, or
  200. * processing on the server's group list -- this is just a minimal
  201. * change to preserve compatibility with these misbehaving servers.
  202. */
  203. TLSEXT_TYPE_supported_groups,
  204. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  205. | SSL_EXT_TLS1_2_SERVER_HELLO,
  206. NULL, tls_parse_ctos_supported_groups, NULL,
  207. tls_construct_stoc_supported_groups,
  208. tls_construct_ctos_supported_groups, NULL
  209. },
  210. {
  211. TLSEXT_TYPE_session_ticket,
  212. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  213. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  214. init_session_ticket, tls_parse_ctos_session_ticket,
  215. tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
  216. tls_construct_ctos_session_ticket, NULL
  217. },
  218. #ifndef OPENSSL_NO_OCSP
  219. {
  220. TLSEXT_TYPE_status_request,
  221. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  222. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  223. init_status_request, tls_parse_ctos_status_request,
  224. tls_parse_stoc_status_request, tls_construct_stoc_status_request,
  225. tls_construct_ctos_status_request, NULL
  226. },
  227. #else
  228. INVALID_EXTENSION,
  229. #endif
  230. #ifndef OPENSSL_NO_NEXTPROTONEG
  231. {
  232. TLSEXT_TYPE_next_proto_neg,
  233. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  234. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  235. init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
  236. tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
  237. },
  238. #else
  239. INVALID_EXTENSION,
  240. #endif
  241. {
  242. /*
  243. * Must appear in this list after server_name so that finalisation
  244. * happens after server_name callbacks
  245. */
  246. TLSEXT_TYPE_application_layer_protocol_negotiation,
  247. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  248. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  249. init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
  250. tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
  251. },
  252. #ifndef OPENSSL_NO_SRTP
  253. {
  254. TLSEXT_TYPE_use_srtp,
  255. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  256. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
  257. init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
  258. tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
  259. },
  260. #else
  261. INVALID_EXTENSION,
  262. #endif
  263. {
  264. TLSEXT_TYPE_encrypt_then_mac,
  265. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  266. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  267. init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
  268. tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
  269. },
  270. #ifndef OPENSSL_NO_CT
  271. {
  272. TLSEXT_TYPE_signed_certificate_timestamp,
  273. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  274. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  275. NULL,
  276. /*
  277. * No server side support for this, but can be provided by a custom
  278. * extension. This is an exception to the rule that custom extensions
  279. * cannot override built in ones.
  280. */
  281. NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
  282. },
  283. #else
  284. INVALID_EXTENSION,
  285. #endif
  286. {
  287. TLSEXT_TYPE_extended_master_secret,
  288. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  289. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  290. init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
  291. tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
  292. },
  293. {
  294. TLSEXT_TYPE_signature_algorithms_cert,
  295. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  296. init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
  297. tls_parse_ctos_sig_algs_cert,
  298. /* We do not generate signature_algorithms_cert at present. */
  299. NULL, NULL, NULL
  300. },
  301. {
  302. TLSEXT_TYPE_post_handshake_auth,
  303. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
  304. init_post_handshake_auth,
  305. tls_parse_ctos_post_handshake_auth, NULL,
  306. NULL, tls_construct_ctos_post_handshake_auth,
  307. NULL,
  308. },
  309. {
  310. TLSEXT_TYPE_client_cert_type,
  311. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  312. | SSL_EXT_TLS1_2_SERVER_HELLO,
  313. init_client_cert_type,
  314. tls_parse_ctos_client_cert_type, tls_parse_stoc_client_cert_type,
  315. tls_construct_stoc_client_cert_type, tls_construct_ctos_client_cert_type,
  316. NULL
  317. },
  318. {
  319. TLSEXT_TYPE_server_cert_type,
  320. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  321. | SSL_EXT_TLS1_2_SERVER_HELLO,
  322. init_server_cert_type,
  323. tls_parse_ctos_server_cert_type, tls_parse_stoc_server_cert_type,
  324. tls_construct_stoc_server_cert_type, tls_construct_ctos_server_cert_type,
  325. NULL
  326. },
  327. {
  328. TLSEXT_TYPE_signature_algorithms,
  329. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  330. init_sig_algs, tls_parse_ctos_sig_algs,
  331. tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
  332. tls_construct_ctos_sig_algs, final_sig_algs
  333. },
  334. {
  335. TLSEXT_TYPE_supported_versions,
  336. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  337. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
  338. NULL,
  339. /* Processed inline as part of version selection */
  340. NULL, tls_parse_stoc_supported_versions,
  341. tls_construct_stoc_supported_versions,
  342. tls_construct_ctos_supported_versions, NULL
  343. },
  344. {
  345. TLSEXT_TYPE_psk_kex_modes,
  346. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  347. | SSL_EXT_TLS1_3_ONLY,
  348. init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
  349. tls_construct_ctos_psk_kex_modes, NULL
  350. },
  351. {
  352. /*
  353. * Must be in this list after supported_groups. We need that to have
  354. * been parsed before we do this one.
  355. */
  356. TLSEXT_TYPE_key_share,
  357. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  358. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  359. | SSL_EXT_TLS1_3_ONLY,
  360. NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
  361. tls_construct_stoc_key_share, tls_construct_ctos_key_share,
  362. final_key_share
  363. },
  364. {
  365. /* Must be after key_share */
  366. TLSEXT_TYPE_cookie,
  367. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  368. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  369. NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
  370. tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
  371. },
  372. {
  373. /*
  374. * Special unsolicited ServerHello extension only used when
  375. * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
  376. * ignore it.
  377. */
  378. TLSEXT_TYPE_cryptopro_bug,
  379. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  380. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  381. NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
  382. },
  383. {
  384. TLSEXT_TYPE_compress_certificate,
  385. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  386. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  387. tls_init_compress_certificate,
  388. tls_parse_compress_certificate, tls_parse_compress_certificate,
  389. tls_construct_compress_certificate, tls_construct_compress_certificate,
  390. NULL
  391. },
  392. {
  393. TLSEXT_TYPE_early_data,
  394. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  395. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
  396. NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
  397. tls_construct_stoc_early_data, tls_construct_ctos_early_data,
  398. final_early_data
  399. },
  400. {
  401. TLSEXT_TYPE_certificate_authorities,
  402. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  403. | SSL_EXT_TLS1_3_ONLY,
  404. init_certificate_authorities,
  405. tls_parse_certificate_authorities, tls_parse_certificate_authorities,
  406. tls_construct_certificate_authorities,
  407. tls_construct_certificate_authorities, NULL,
  408. },
  409. {
  410. /* Must be immediately before pre_shared_key */
  411. TLSEXT_TYPE_padding,
  412. SSL_EXT_CLIENT_HELLO,
  413. NULL,
  414. /* We send this, but don't read it */
  415. NULL, NULL, NULL, tls_construct_ctos_padding, NULL
  416. },
  417. {
  418. /* Required by the TLSv1.3 spec to always be the last extension */
  419. TLSEXT_TYPE_psk,
  420. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  421. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  422. NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
  423. tls_construct_ctos_psk, final_psk
  424. }
  425. };
  426. /* Returns a TLSEXT_TYPE for the given index */
  427. unsigned int ossl_get_extension_type(size_t idx)
  428. {
  429. size_t num_exts = OSSL_NELEM(ext_defs);
  430. if (idx >= num_exts)
  431. return TLSEXT_TYPE_out_of_range;
  432. return ext_defs[idx].type;
  433. }
  434. /* Check whether an extension's context matches the current context */
  435. static int validate_context(SSL_CONNECTION *s, unsigned int extctx,
  436. unsigned int thisctx)
  437. {
  438. /* Check we're allowed to use this extension in this context */
  439. if ((thisctx & extctx) == 0)
  440. return 0;
  441. if (SSL_CONNECTION_IS_DTLS(s)) {
  442. if ((extctx & SSL_EXT_TLS_ONLY) != 0)
  443. return 0;
  444. } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
  445. return 0;
  446. }
  447. return 1;
  448. }
  449. int tls_validate_all_contexts(SSL_CONNECTION *s, unsigned int thisctx,
  450. RAW_EXTENSION *exts)
  451. {
  452. size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
  453. RAW_EXTENSION *thisext;
  454. unsigned int context;
  455. ENDPOINT role = ENDPOINT_BOTH;
  456. if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
  457. role = ENDPOINT_SERVER;
  458. else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  459. role = ENDPOINT_CLIENT;
  460. /* Calculate the number of extensions in the extensions list */
  461. num_exts = builtin_num + s->cert->custext.meths_count;
  462. for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
  463. if (!thisext->present)
  464. continue;
  465. if (i < builtin_num) {
  466. context = ext_defs[i].context;
  467. } else {
  468. custom_ext_method *meth = NULL;
  469. meth = custom_ext_find(&s->cert->custext, role, thisext->type,
  470. &offset);
  471. if (!ossl_assert(meth != NULL))
  472. return 0;
  473. context = meth->context;
  474. }
  475. if (!validate_context(s, context, thisctx))
  476. return 0;
  477. }
  478. return 1;
  479. }
  480. /*
  481. * Verify whether we are allowed to use the extension |type| in the current
  482. * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
  483. * indicate the extension is not allowed. If returning 1 then |*found| is set to
  484. * the definition for the extension we found.
  485. */
  486. static int verify_extension(SSL_CONNECTION *s, unsigned int context,
  487. unsigned int type, custom_ext_methods *meths,
  488. RAW_EXTENSION *rawexlist, RAW_EXTENSION **found)
  489. {
  490. size_t i;
  491. size_t builtin_num = OSSL_NELEM(ext_defs);
  492. const EXTENSION_DEFINITION *thisext;
  493. for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
  494. if (type == thisext->type) {
  495. if (!validate_context(s, thisext->context, context))
  496. return 0;
  497. *found = &rawexlist[i];
  498. return 1;
  499. }
  500. }
  501. /* Check the custom extensions */
  502. if (meths != NULL) {
  503. size_t offset = 0;
  504. ENDPOINT role = ENDPOINT_BOTH;
  505. custom_ext_method *meth = NULL;
  506. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  507. role = ENDPOINT_SERVER;
  508. else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  509. role = ENDPOINT_CLIENT;
  510. meth = custom_ext_find(meths, role, type, &offset);
  511. if (meth != NULL) {
  512. if (!validate_context(s, meth->context, context))
  513. return 0;
  514. *found = &rawexlist[offset + builtin_num];
  515. return 1;
  516. }
  517. }
  518. /* Unknown extension. We allow it */
  519. *found = NULL;
  520. return 1;
  521. }
  522. /*
  523. * Check whether the context defined for an extension |extctx| means whether
  524. * the extension is relevant for the current context |thisctx| or not. Returns
  525. * 1 if the extension is relevant for this context, and 0 otherwise
  526. */
  527. int extension_is_relevant(SSL_CONNECTION *s, unsigned int extctx,
  528. unsigned int thisctx)
  529. {
  530. int is_tls13;
  531. /*
  532. * For HRR we haven't selected the version yet but we know it will be
  533. * TLSv1.3
  534. */
  535. if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  536. is_tls13 = 1;
  537. else
  538. is_tls13 = SSL_CONNECTION_IS_TLS13(s);
  539. if ((SSL_CONNECTION_IS_DTLS(s)
  540. && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
  541. || (s->version == SSL3_VERSION
  542. && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
  543. /*
  544. * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
  545. * which is never true when generating the ClientHello.
  546. * However, version negotiation *has* occurred by the time the
  547. * ClientHello extensions are being parsed.
  548. * Be careful to allow TLS 1.3-only extensions when generating
  549. * the ClientHello.
  550. */
  551. || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
  552. || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
  553. && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
  554. || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
  555. || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
  556. return 0;
  557. return 1;
  558. }
  559. /*
  560. * Gather a list of all the extensions from the data in |packet]. |context|
  561. * tells us which message this extension is for. The raw extension data is
  562. * stored in |*res| on success. We don't actually process the content of the
  563. * extensions yet, except to check their types. This function also runs the
  564. * initialiser functions for all known extensions if |init| is nonzero (whether
  565. * we have collected them or not). If successful the caller is responsible for
  566. * freeing the contents of |*res|.
  567. *
  568. * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
  569. * more than one extension of the same type in a ClientHello or ServerHello.
  570. * This function returns 1 if all extensions are unique and we have parsed their
  571. * types, and 0 if the extensions contain duplicates, could not be successfully
  572. * found, or an internal error occurred. We only check duplicates for
  573. * extensions that we know about. We ignore others.
  574. */
  575. int tls_collect_extensions(SSL_CONNECTION *s, PACKET *packet,
  576. unsigned int context,
  577. RAW_EXTENSION **res, size_t *len, int init)
  578. {
  579. PACKET extensions = *packet;
  580. size_t i = 0;
  581. size_t num_exts;
  582. custom_ext_methods *exts = &s->cert->custext;
  583. RAW_EXTENSION *raw_extensions = NULL;
  584. const EXTENSION_DEFINITION *thisexd;
  585. *res = NULL;
  586. /*
  587. * Initialise server side custom extensions. Client side is done during
  588. * construction of extensions for the ClientHello.
  589. */
  590. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  591. custom_ext_init(&s->cert->custext);
  592. num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
  593. raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
  594. if (raw_extensions == NULL) {
  595. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  596. return 0;
  597. }
  598. i = 0;
  599. while (PACKET_remaining(&extensions) > 0) {
  600. unsigned int type, idx;
  601. PACKET extension;
  602. RAW_EXTENSION *thisex;
  603. if (!PACKET_get_net_2(&extensions, &type) ||
  604. !PACKET_get_length_prefixed_2(&extensions, &extension)) {
  605. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  606. goto err;
  607. }
  608. /*
  609. * Verify this extension is allowed. We only check duplicates for
  610. * extensions that we recognise. We also have a special case for the
  611. * PSK extension, which must be the last one in the ClientHello.
  612. */
  613. if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
  614. || (thisex != NULL && thisex->present == 1)
  615. || (type == TLSEXT_TYPE_psk
  616. && (context & SSL_EXT_CLIENT_HELLO) != 0
  617. && PACKET_remaining(&extensions) != 0)) {
  618. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  619. goto err;
  620. }
  621. idx = thisex - raw_extensions;
  622. /*-
  623. * Check that we requested this extension (if appropriate). Requests can
  624. * be sent in the ClientHello and CertificateRequest. Unsolicited
  625. * extensions can be sent in the NewSessionTicket. We only do this for
  626. * the built-in extensions. Custom extensions have a different but
  627. * similar check elsewhere.
  628. * Special cases:
  629. * - The HRR cookie extension is unsolicited
  630. * - The renegotiate extension is unsolicited (the client signals
  631. * support via an SCSV)
  632. * - The signed_certificate_timestamp extension can be provided by a
  633. * custom extension or by the built-in version. We let the extension
  634. * itself handle unsolicited response checks.
  635. */
  636. if (idx < OSSL_NELEM(ext_defs)
  637. && (context & (SSL_EXT_CLIENT_HELLO
  638. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  639. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
  640. && type != TLSEXT_TYPE_cookie
  641. && type != TLSEXT_TYPE_renegotiate
  642. && type != TLSEXT_TYPE_signed_certificate_timestamp
  643. && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
  644. #ifndef OPENSSL_NO_GOST
  645. && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
  646. && type == TLSEXT_TYPE_cryptopro_bug)
  647. #endif
  648. ) {
  649. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  650. SSL_R_UNSOLICITED_EXTENSION);
  651. goto err;
  652. }
  653. if (thisex != NULL) {
  654. thisex->data = extension;
  655. thisex->present = 1;
  656. thisex->type = type;
  657. thisex->received_order = i++;
  658. if (s->ext.debug_cb)
  659. s->ext.debug_cb(SSL_CONNECTION_GET_SSL(s), !s->server,
  660. thisex->type, PACKET_data(&thisex->data),
  661. PACKET_remaining(&thisex->data),
  662. s->ext.debug_arg);
  663. }
  664. }
  665. if (init) {
  666. /*
  667. * Initialise all known extensions relevant to this context,
  668. * whether we have found them or not
  669. */
  670. for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
  671. i++, thisexd++) {
  672. if (thisexd->init != NULL && (thisexd->context & context) != 0
  673. && extension_is_relevant(s, thisexd->context, context)
  674. && !thisexd->init(s, context)) {
  675. /* SSLfatal() already called */
  676. goto err;
  677. }
  678. }
  679. }
  680. *res = raw_extensions;
  681. if (len != NULL)
  682. *len = num_exts;
  683. return 1;
  684. err:
  685. OPENSSL_free(raw_extensions);
  686. return 0;
  687. }
  688. /*
  689. * Runs the parser for a given extension with index |idx|. |exts| contains the
  690. * list of all parsed extensions previously collected by
  691. * tls_collect_extensions(). The parser is only run if it is applicable for the
  692. * given |context| and the parser has not already been run. If this is for a
  693. * Certificate message, then we also provide the parser with the relevant
  694. * Certificate |x| and its position in the |chainidx| with 0 being the first
  695. * Certificate. Returns 1 on success or 0 on failure. If an extension is not
  696. * present this counted as success.
  697. */
  698. int tls_parse_extension(SSL_CONNECTION *s, TLSEXT_INDEX idx, int context,
  699. RAW_EXTENSION *exts, X509 *x, size_t chainidx)
  700. {
  701. RAW_EXTENSION *currext = &exts[idx];
  702. int (*parser)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x,
  703. size_t chainidx) = NULL;
  704. /* Skip if the extension is not present */
  705. if (!currext->present)
  706. return 1;
  707. /* Skip if we've already parsed this extension */
  708. if (currext->parsed)
  709. return 1;
  710. currext->parsed = 1;
  711. if (idx < OSSL_NELEM(ext_defs)) {
  712. /* We are handling a built-in extension */
  713. const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
  714. /* Check if extension is defined for our protocol. If not, skip */
  715. if (!extension_is_relevant(s, extdef->context, context))
  716. return 1;
  717. parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
  718. if (parser != NULL)
  719. return parser(s, &currext->data, context, x, chainidx);
  720. /*
  721. * If the parser is NULL we fall through to the custom extension
  722. * processing
  723. */
  724. }
  725. /* Parse custom extensions */
  726. return custom_ext_parse(s, context, currext->type,
  727. PACKET_data(&currext->data),
  728. PACKET_remaining(&currext->data),
  729. x, chainidx);
  730. }
  731. /*
  732. * Parse all remaining extensions that have not yet been parsed. Also calls the
  733. * finalisation for all extensions at the end if |fin| is nonzero, whether we
  734. * collected them or not. Returns 1 for success or 0 for failure. If we are
  735. * working on a Certificate message then we also pass the Certificate |x| and
  736. * its position in the |chainidx|, with 0 being the first certificate.
  737. */
  738. int tls_parse_all_extensions(SSL_CONNECTION *s, int context,
  739. RAW_EXTENSION *exts, X509 *x,
  740. size_t chainidx, int fin)
  741. {
  742. size_t i, numexts = OSSL_NELEM(ext_defs);
  743. const EXTENSION_DEFINITION *thisexd;
  744. /* Calculate the number of extensions in the extensions list */
  745. numexts += s->cert->custext.meths_count;
  746. /* Parse each extension in turn */
  747. for (i = 0; i < numexts; i++) {
  748. if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
  749. /* SSLfatal() already called */
  750. return 0;
  751. }
  752. }
  753. if (fin) {
  754. /*
  755. * Finalise all known extensions relevant to this context,
  756. * whether we have found them or not
  757. */
  758. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
  759. i++, thisexd++) {
  760. if (thisexd->final != NULL && (thisexd->context & context) != 0
  761. && !thisexd->final(s, context, exts[i].present)) {
  762. /* SSLfatal() already called */
  763. return 0;
  764. }
  765. }
  766. }
  767. return 1;
  768. }
  769. int should_add_extension(SSL_CONNECTION *s, unsigned int extctx,
  770. unsigned int thisctx, int max_version)
  771. {
  772. /* Skip if not relevant for our context */
  773. if ((extctx & thisctx) == 0)
  774. return 0;
  775. /* Check if this extension is defined for our protocol. If not, skip */
  776. if (!extension_is_relevant(s, extctx, thisctx)
  777. || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
  778. && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
  779. && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
  780. return 0;
  781. return 1;
  782. }
  783. /*
  784. * Construct all the extensions relevant to the current |context| and write
  785. * them to |pkt|. If this is an extension for a Certificate in a Certificate
  786. * message, then |x| will be set to the Certificate we are handling, and
  787. * |chainidx| will indicate the position in the chainidx we are processing (with
  788. * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
  789. * failure construction stops at the first extension to fail to construct.
  790. */
  791. int tls_construct_extensions(SSL_CONNECTION *s, WPACKET *pkt,
  792. unsigned int context,
  793. X509 *x, size_t chainidx)
  794. {
  795. size_t i;
  796. int min_version, max_version = 0, reason;
  797. const EXTENSION_DEFINITION *thisexd;
  798. int for_comp = (context & SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION) != 0;
  799. if (!WPACKET_start_sub_packet_u16(pkt)
  800. /*
  801. * If extensions are of zero length then we don't even add the
  802. * extensions length bytes to a ClientHello/ServerHello
  803. * (for non-TLSv1.3).
  804. */
  805. || ((context &
  806. (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
  807. && !WPACKET_set_flags(pkt,
  808. WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
  809. if (!for_comp)
  810. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  811. return 0;
  812. }
  813. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  814. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  815. if (reason != 0) {
  816. if (!for_comp)
  817. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  818. return 0;
  819. }
  820. }
  821. /* Add custom extensions first */
  822. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  823. /* On the server side with initialise during ClientHello parsing */
  824. custom_ext_init(&s->cert->custext);
  825. }
  826. if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
  827. /* SSLfatal() already called */
  828. return 0;
  829. }
  830. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
  831. EXT_RETURN (*construct)(SSL_CONNECTION *s, WPACKET *pkt,
  832. unsigned int context,
  833. X509 *x, size_t chainidx);
  834. EXT_RETURN ret;
  835. /* Skip if not relevant for our context */
  836. if (!should_add_extension(s, thisexd->context, context, max_version))
  837. continue;
  838. construct = s->server ? thisexd->construct_stoc
  839. : thisexd->construct_ctos;
  840. if (construct == NULL)
  841. continue;
  842. ret = construct(s, pkt, context, x, chainidx);
  843. if (ret == EXT_RETURN_FAIL) {
  844. /* SSLfatal() already called */
  845. return 0;
  846. }
  847. if (ret == EXT_RETURN_SENT
  848. && (context & (SSL_EXT_CLIENT_HELLO
  849. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  850. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
  851. s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
  852. }
  853. if (!WPACKET_close(pkt)) {
  854. if (!for_comp)
  855. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  856. return 0;
  857. }
  858. return 1;
  859. }
  860. /*
  861. * Built in extension finalisation and initialisation functions. All initialise
  862. * or finalise the associated extension type for the given |context|. For
  863. * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
  864. * otherwise. These functions return 1 on success or 0 on failure.
  865. */
  866. static int final_renegotiate(SSL_CONNECTION *s, unsigned int context, int sent)
  867. {
  868. if (!s->server) {
  869. /*
  870. * Check if we can connect to a server that doesn't support safe
  871. * renegotiation
  872. */
  873. if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  874. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  875. && !sent) {
  876. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  877. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  878. return 0;
  879. }
  880. return 1;
  881. }
  882. /* Need RI if renegotiating */
  883. if (s->renegotiate
  884. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  885. && !sent) {
  886. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  887. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  888. return 0;
  889. }
  890. return 1;
  891. }
  892. static ossl_inline void ssl_tsan_decr(const SSL_CTX *ctx,
  893. TSAN_QUALIFIER int *stat)
  894. {
  895. if (ssl_tsan_lock(ctx)) {
  896. tsan_decr(stat);
  897. ssl_tsan_unlock(ctx);
  898. }
  899. }
  900. static int init_server_name(SSL_CONNECTION *s, unsigned int context)
  901. {
  902. if (s->server) {
  903. s->servername_done = 0;
  904. OPENSSL_free(s->ext.hostname);
  905. s->ext.hostname = NULL;
  906. }
  907. return 1;
  908. }
  909. static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent)
  910. {
  911. int ret = SSL_TLSEXT_ERR_NOACK;
  912. int altmp = SSL_AD_UNRECOGNIZED_NAME;
  913. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  914. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  915. int was_ticket = (SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0;
  916. if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
  917. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  918. return 0;
  919. }
  920. if (sctx->ext.servername_cb != NULL)
  921. ret = sctx->ext.servername_cb(ssl, &altmp,
  922. sctx->ext.servername_arg);
  923. else if (s->session_ctx->ext.servername_cb != NULL)
  924. ret = s->session_ctx->ext.servername_cb(ssl, &altmp,
  925. s->session_ctx->ext.servername_arg);
  926. /*
  927. * For servers, propagate the SNI hostname from the temporary
  928. * storage in the SSL to the persistent SSL_SESSION, now that we
  929. * know we accepted it.
  930. * Clients make this copy when parsing the server's response to
  931. * the extension, which is when they find out that the negotiation
  932. * was successful.
  933. */
  934. if (s->server) {
  935. if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
  936. /* Only store the hostname in the session if we accepted it. */
  937. OPENSSL_free(s->session->ext.hostname);
  938. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  939. if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
  940. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  941. }
  942. }
  943. }
  944. /*
  945. * If we switched contexts (whether here or in the client_hello callback),
  946. * move the sess_accept increment from the session_ctx to the new
  947. * context, to avoid the confusing situation of having sess_accept_good
  948. * exceed sess_accept (zero) for the new context.
  949. */
  950. if (SSL_IS_FIRST_HANDSHAKE(s) && sctx != s->session_ctx
  951. && s->hello_retry_request == SSL_HRR_NONE) {
  952. ssl_tsan_counter(sctx, &sctx->stats.sess_accept);
  953. ssl_tsan_decr(s->session_ctx, &s->session_ctx->stats.sess_accept);
  954. }
  955. /*
  956. * If we're expecting to send a ticket, and tickets were previously enabled,
  957. * and now tickets are disabled, then turn off expected ticket.
  958. * Also, if this is not a resumption, create a new session ID
  959. */
  960. if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
  961. && was_ticket && (SSL_get_options(ssl) & SSL_OP_NO_TICKET) != 0) {
  962. s->ext.ticket_expected = 0;
  963. if (!s->hit) {
  964. SSL_SESSION* ss = SSL_get_session(ssl);
  965. if (ss != NULL) {
  966. OPENSSL_free(ss->ext.tick);
  967. ss->ext.tick = NULL;
  968. ss->ext.ticklen = 0;
  969. ss->ext.tick_lifetime_hint = 0;
  970. ss->ext.tick_age_add = 0;
  971. if (!ssl_generate_session_id(s, ss)) {
  972. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  973. return 0;
  974. }
  975. } else {
  976. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  977. return 0;
  978. }
  979. }
  980. }
  981. switch (ret) {
  982. case SSL_TLSEXT_ERR_ALERT_FATAL:
  983. SSLfatal(s, altmp, SSL_R_CALLBACK_FAILED);
  984. return 0;
  985. case SSL_TLSEXT_ERR_ALERT_WARNING:
  986. /* TLSv1.3 doesn't have warning alerts so we suppress this */
  987. if (!SSL_CONNECTION_IS_TLS13(s))
  988. ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
  989. s->servername_done = 0;
  990. return 1;
  991. case SSL_TLSEXT_ERR_NOACK:
  992. s->servername_done = 0;
  993. return 1;
  994. default:
  995. return 1;
  996. }
  997. }
  998. static int final_ec_pt_formats(SSL_CONNECTION *s, unsigned int context,
  999. int sent)
  1000. {
  1001. unsigned long alg_k, alg_a;
  1002. if (s->server)
  1003. return 1;
  1004. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  1005. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  1006. /*
  1007. * If we are client and using an elliptic curve cryptography cipher
  1008. * suite, then if server returns an EC point formats lists extension it
  1009. * must contain uncompressed.
  1010. */
  1011. if (s->ext.ecpointformats != NULL
  1012. && s->ext.ecpointformats_len > 0
  1013. && s->ext.peer_ecpointformats != NULL
  1014. && s->ext.peer_ecpointformats_len > 0
  1015. && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
  1016. /* we are using an ECC cipher */
  1017. size_t i;
  1018. unsigned char *list = s->ext.peer_ecpointformats;
  1019. for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
  1020. if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
  1021. break;
  1022. }
  1023. if (i == s->ext.peer_ecpointformats_len) {
  1024. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1025. SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  1026. return 0;
  1027. }
  1028. }
  1029. return 1;
  1030. }
  1031. static int init_session_ticket(SSL_CONNECTION *s, unsigned int context)
  1032. {
  1033. if (!s->server)
  1034. s->ext.ticket_expected = 0;
  1035. return 1;
  1036. }
  1037. #ifndef OPENSSL_NO_OCSP
  1038. static int init_status_request(SSL_CONNECTION *s, unsigned int context)
  1039. {
  1040. if (s->server) {
  1041. s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
  1042. } else {
  1043. /*
  1044. * Ensure we get sensible values passed to tlsext_status_cb in the event
  1045. * that we don't receive a status message
  1046. */
  1047. OPENSSL_free(s->ext.ocsp.resp);
  1048. s->ext.ocsp.resp = NULL;
  1049. s->ext.ocsp.resp_len = 0;
  1050. }
  1051. return 1;
  1052. }
  1053. #endif
  1054. #ifndef OPENSSL_NO_NEXTPROTONEG
  1055. static int init_npn(SSL_CONNECTION *s, unsigned int context)
  1056. {
  1057. s->s3.npn_seen = 0;
  1058. return 1;
  1059. }
  1060. #endif
  1061. static int init_alpn(SSL_CONNECTION *s, unsigned int context)
  1062. {
  1063. OPENSSL_free(s->s3.alpn_selected);
  1064. s->s3.alpn_selected = NULL;
  1065. s->s3.alpn_selected_len = 0;
  1066. if (s->server) {
  1067. OPENSSL_free(s->s3.alpn_proposed);
  1068. s->s3.alpn_proposed = NULL;
  1069. s->s3.alpn_proposed_len = 0;
  1070. }
  1071. return 1;
  1072. }
  1073. static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent)
  1074. {
  1075. if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
  1076. s->ext.early_data_ok = 0;
  1077. if (!s->server || !SSL_CONNECTION_IS_TLS13(s))
  1078. return 1;
  1079. /*
  1080. * Call alpn_select callback if needed. Has to be done after SNI and
  1081. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  1082. * we also have to do this before we decide whether to accept early_data.
  1083. * In TLSv1.3 we've already negotiated our cipher so we do this call now.
  1084. * For < TLSv1.3 we defer it until after cipher negotiation.
  1085. *
  1086. * On failure SSLfatal() already called.
  1087. */
  1088. return tls_handle_alpn(s);
  1089. }
  1090. static int init_sig_algs(SSL_CONNECTION *s, unsigned int context)
  1091. {
  1092. /* Clear any signature algorithms extension received */
  1093. OPENSSL_free(s->s3.tmp.peer_sigalgs);
  1094. s->s3.tmp.peer_sigalgs = NULL;
  1095. s->s3.tmp.peer_sigalgslen = 0;
  1096. return 1;
  1097. }
  1098. static int init_sig_algs_cert(SSL_CONNECTION *s,
  1099. ossl_unused unsigned int context)
  1100. {
  1101. /* Clear any signature algorithms extension received */
  1102. OPENSSL_free(s->s3.tmp.peer_cert_sigalgs);
  1103. s->s3.tmp.peer_cert_sigalgs = NULL;
  1104. s->s3.tmp.peer_cert_sigalgslen = 0;
  1105. return 1;
  1106. }
  1107. #ifndef OPENSSL_NO_SRP
  1108. static int init_srp(SSL_CONNECTION *s, unsigned int context)
  1109. {
  1110. OPENSSL_free(s->srp_ctx.login);
  1111. s->srp_ctx.login = NULL;
  1112. return 1;
  1113. }
  1114. #endif
  1115. static int init_ec_point_formats(SSL_CONNECTION *s, unsigned int context)
  1116. {
  1117. OPENSSL_free(s->ext.peer_ecpointformats);
  1118. s->ext.peer_ecpointformats = NULL;
  1119. s->ext.peer_ecpointformats_len = 0;
  1120. return 1;
  1121. }
  1122. static int init_etm(SSL_CONNECTION *s, unsigned int context)
  1123. {
  1124. s->ext.use_etm = 0;
  1125. return 1;
  1126. }
  1127. static int init_ems(SSL_CONNECTION *s, unsigned int context)
  1128. {
  1129. if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) {
  1130. s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
  1131. s->s3.flags |= TLS1_FLAGS_REQUIRED_EXTMS;
  1132. }
  1133. return 1;
  1134. }
  1135. static int final_ems(SSL_CONNECTION *s, unsigned int context, int sent)
  1136. {
  1137. /*
  1138. * Check extended master secret extension is not dropped on
  1139. * renegotiation.
  1140. */
  1141. if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)
  1142. && (s->s3.flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
  1143. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
  1144. return 0;
  1145. }
  1146. if (!s->server && s->hit) {
  1147. /*
  1148. * Check extended master secret extension is consistent with
  1149. * original session.
  1150. */
  1151. if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
  1152. !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
  1153. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
  1154. return 0;
  1155. }
  1156. }
  1157. return 1;
  1158. }
  1159. static int init_certificate_authorities(SSL_CONNECTION *s, unsigned int context)
  1160. {
  1161. sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
  1162. s->s3.tmp.peer_ca_names = NULL;
  1163. return 1;
  1164. }
  1165. static EXT_RETURN tls_construct_certificate_authorities(SSL_CONNECTION *s,
  1166. WPACKET *pkt,
  1167. unsigned int context,
  1168. X509 *x,
  1169. size_t chainidx)
  1170. {
  1171. const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
  1172. if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
  1173. return EXT_RETURN_NOT_SENT;
  1174. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
  1175. || !WPACKET_start_sub_packet_u16(pkt)) {
  1176. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1177. return EXT_RETURN_FAIL;
  1178. }
  1179. if (!construct_ca_names(s, ca_sk, pkt)) {
  1180. /* SSLfatal() already called */
  1181. return EXT_RETURN_FAIL;
  1182. }
  1183. if (!WPACKET_close(pkt)) {
  1184. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1185. return EXT_RETURN_FAIL;
  1186. }
  1187. return EXT_RETURN_SENT;
  1188. }
  1189. static int tls_parse_certificate_authorities(SSL_CONNECTION *s, PACKET *pkt,
  1190. unsigned int context, X509 *x,
  1191. size_t chainidx)
  1192. {
  1193. if (!parse_ca_names(s, pkt))
  1194. return 0;
  1195. if (PACKET_remaining(pkt) != 0) {
  1196. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1197. return 0;
  1198. }
  1199. return 1;
  1200. }
  1201. #ifndef OPENSSL_NO_SRTP
  1202. static int init_srtp(SSL_CONNECTION *s, unsigned int context)
  1203. {
  1204. if (s->server)
  1205. s->srtp_profile = NULL;
  1206. return 1;
  1207. }
  1208. #endif
  1209. static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent)
  1210. {
  1211. if (!sent && SSL_CONNECTION_IS_TLS13(s) && !s->hit) {
  1212. SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
  1213. SSL_R_MISSING_SIGALGS_EXTENSION);
  1214. return 0;
  1215. }
  1216. return 1;
  1217. }
  1218. static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
  1219. {
  1220. #if !defined(OPENSSL_NO_TLS1_3)
  1221. if (!SSL_CONNECTION_IS_TLS13(s))
  1222. return 1;
  1223. /* Nothing to do for key_share in an HRR */
  1224. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  1225. return 1;
  1226. /*
  1227. * If
  1228. * we are a client
  1229. * AND
  1230. * we have no key_share
  1231. * AND
  1232. * (we are not resuming
  1233. * OR the kex_mode doesn't allow non key_share resumes)
  1234. * THEN
  1235. * fail;
  1236. */
  1237. if (!s->server
  1238. && !sent
  1239. && (!s->hit
  1240. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
  1241. /* Nothing left we can do - just fail */
  1242. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_NO_SUITABLE_KEY_SHARE);
  1243. return 0;
  1244. }
  1245. /*
  1246. * IF
  1247. * we are a server
  1248. * THEN
  1249. * IF
  1250. * we have a suitable key_share
  1251. * THEN
  1252. * IF
  1253. * we are stateless AND we have no cookie
  1254. * THEN
  1255. * send a HelloRetryRequest
  1256. * ELSE
  1257. * IF
  1258. * we didn't already send a HelloRetryRequest
  1259. * AND
  1260. * the client sent a key_share extension
  1261. * AND
  1262. * (we are not resuming
  1263. * OR the kex_mode allows key_share resumes)
  1264. * AND
  1265. * a shared group exists
  1266. * THEN
  1267. * send a HelloRetryRequest
  1268. * ELSE IF
  1269. * we are not resuming
  1270. * OR
  1271. * the kex_mode doesn't allow non key_share resumes
  1272. * THEN
  1273. * fail
  1274. * ELSE IF
  1275. * we are stateless AND we have no cookie
  1276. * THEN
  1277. * send a HelloRetryRequest
  1278. */
  1279. if (s->server) {
  1280. if (s->s3.peer_tmp != NULL) {
  1281. /* We have a suitable key_share */
  1282. if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
  1283. && !s->ext.cookieok) {
  1284. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1285. /*
  1286. * If we are stateless then we wouldn't know about any
  1287. * previously sent HRR - so how can this be anything other
  1288. * than 0?
  1289. */
  1290. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1291. return 0;
  1292. }
  1293. s->hello_retry_request = SSL_HRR_PENDING;
  1294. return 1;
  1295. }
  1296. } else {
  1297. /* No suitable key_share */
  1298. if (s->hello_retry_request == SSL_HRR_NONE && sent
  1299. && (!s->hit
  1300. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
  1301. != 0)) {
  1302. const uint16_t *pgroups, *clntgroups;
  1303. size_t num_groups, clnt_num_groups, i;
  1304. unsigned int group_id = 0;
  1305. /* Check if a shared group exists */
  1306. /* Get the clients list of supported groups. */
  1307. tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
  1308. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1309. /*
  1310. * Find the first group we allow that is also in client's list
  1311. */
  1312. for (i = 0; i < num_groups; i++) {
  1313. group_id = pgroups[i];
  1314. if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
  1315. 1)
  1316. && tls_group_allowed(s, group_id,
  1317. SSL_SECOP_CURVE_SUPPORTED)
  1318. && tls_valid_group(s, group_id, TLS1_3_VERSION,
  1319. TLS1_3_VERSION, 0, NULL))
  1320. break;
  1321. }
  1322. if (i < num_groups) {
  1323. /* A shared group exists so send a HelloRetryRequest */
  1324. s->s3.group_id = group_id;
  1325. s->hello_retry_request = SSL_HRR_PENDING;
  1326. return 1;
  1327. }
  1328. }
  1329. if (!s->hit
  1330. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
  1331. /* Nothing left we can do - just fail */
  1332. SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
  1333. : SSL_AD_MISSING_EXTENSION,
  1334. SSL_R_NO_SUITABLE_KEY_SHARE);
  1335. return 0;
  1336. }
  1337. if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
  1338. && !s->ext.cookieok) {
  1339. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1340. /*
  1341. * If we are stateless then we wouldn't know about any
  1342. * previously sent HRR - so how can this be anything other
  1343. * than 0?
  1344. */
  1345. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1346. return 0;
  1347. }
  1348. s->hello_retry_request = SSL_HRR_PENDING;
  1349. return 1;
  1350. }
  1351. }
  1352. /*
  1353. * We have a key_share so don't send any more HelloRetryRequest
  1354. * messages
  1355. */
  1356. if (s->hello_retry_request == SSL_HRR_PENDING)
  1357. s->hello_retry_request = SSL_HRR_COMPLETE;
  1358. } else {
  1359. /*
  1360. * For a client side resumption with no key_share we need to generate
  1361. * the handshake secret (otherwise this is done during key_share
  1362. * processing).
  1363. */
  1364. if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
  1365. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1366. return 0;
  1367. }
  1368. }
  1369. #endif /* !defined(OPENSSL_NO_TLS1_3) */
  1370. return 1;
  1371. }
  1372. static int init_psk_kex_modes(SSL_CONNECTION *s, unsigned int context)
  1373. {
  1374. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
  1375. return 1;
  1376. }
  1377. int tls_psk_do_binder(SSL_CONNECTION *s, const EVP_MD *md,
  1378. const unsigned char *msgstart,
  1379. size_t binderoffset, const unsigned char *binderin,
  1380. unsigned char *binderout, SSL_SESSION *sess, int sign,
  1381. int external)
  1382. {
  1383. EVP_PKEY *mackey = NULL;
  1384. EVP_MD_CTX *mctx = NULL;
  1385. unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
  1386. unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
  1387. unsigned char *early_secret;
  1388. /* ASCII: "res binder", in hex for EBCDIC compatibility */
  1389. static const unsigned char resumption_label[] = "\x72\x65\x73\x20\x62\x69\x6E\x64\x65\x72";
  1390. /* ASCII: "ext binder", in hex for EBCDIC compatibility */
  1391. static const unsigned char external_label[] = "\x65\x78\x74\x20\x62\x69\x6E\x64\x65\x72";
  1392. const unsigned char *label;
  1393. size_t bindersize, labelsize, hashsize;
  1394. int hashsizei = EVP_MD_get_size(md);
  1395. int ret = -1;
  1396. int usepskfored = 0;
  1397. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1398. /* Ensure cast to size_t is safe */
  1399. if (!ossl_assert(hashsizei >= 0)) {
  1400. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1401. goto err;
  1402. }
  1403. hashsize = (size_t)hashsizei;
  1404. if (external
  1405. && s->early_data_state == SSL_EARLY_DATA_CONNECTING
  1406. && s->session->ext.max_early_data == 0
  1407. && sess->ext.max_early_data > 0)
  1408. usepskfored = 1;
  1409. if (external) {
  1410. label = external_label;
  1411. labelsize = sizeof(external_label) - 1;
  1412. } else {
  1413. label = resumption_label;
  1414. labelsize = sizeof(resumption_label) - 1;
  1415. }
  1416. /*
  1417. * Generate the early_secret. On the server side we've selected a PSK to
  1418. * resume with (internal or external) so we always do this. On the client
  1419. * side we do this for a non-external (i.e. resumption) PSK or external PSK
  1420. * that will be used for early_data so that it is in place for sending early
  1421. * data. For client side external PSK not being used for early_data we
  1422. * generate it but store it away for later use.
  1423. */
  1424. if (s->server || !external || usepskfored)
  1425. early_secret = (unsigned char *)s->early_secret;
  1426. else
  1427. early_secret = (unsigned char *)sess->early_secret;
  1428. if (!tls13_generate_secret(s, md, NULL, sess->master_key,
  1429. sess->master_key_length, early_secret)) {
  1430. /* SSLfatal() already called */
  1431. goto err;
  1432. }
  1433. /*
  1434. * Create the handshake hash for the binder key...the messages so far are
  1435. * empty!
  1436. */
  1437. mctx = EVP_MD_CTX_new();
  1438. if (mctx == NULL
  1439. || EVP_DigestInit_ex(mctx, md, NULL) <= 0
  1440. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1441. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1442. goto err;
  1443. }
  1444. /* Generate the binder key */
  1445. if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
  1446. hashsize, binderkey, hashsize, 1)) {
  1447. /* SSLfatal() already called */
  1448. goto err;
  1449. }
  1450. /* Generate the finished key */
  1451. if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
  1452. /* SSLfatal() already called */
  1453. goto err;
  1454. }
  1455. if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
  1456. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1457. goto err;
  1458. }
  1459. /*
  1460. * Get a hash of the ClientHello up to the start of the binders. If we are
  1461. * following a HelloRetryRequest then this includes the hash of the first
  1462. * ClientHello and the HelloRetryRequest itself.
  1463. */
  1464. if (s->hello_retry_request == SSL_HRR_PENDING) {
  1465. size_t hdatalen;
  1466. long hdatalen_l;
  1467. void *hdata;
  1468. hdatalen = hdatalen_l =
  1469. BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
  1470. if (hdatalen_l <= 0) {
  1471. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);
  1472. goto err;
  1473. }
  1474. /*
  1475. * For servers the handshake buffer data will include the second
  1476. * ClientHello - which we don't want - so we need to take that bit off.
  1477. */
  1478. if (s->server) {
  1479. PACKET hashprefix, msg;
  1480. /* Find how many bytes are left after the first two messages */
  1481. if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
  1482. || !PACKET_forward(&hashprefix, 1)
  1483. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
  1484. || !PACKET_forward(&hashprefix, 1)
  1485. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
  1486. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1487. goto err;
  1488. }
  1489. hdatalen -= PACKET_remaining(&hashprefix);
  1490. }
  1491. if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
  1492. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1493. goto err;
  1494. }
  1495. }
  1496. if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
  1497. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1498. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1499. goto err;
  1500. }
  1501. mackey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
  1502. sctx->propq, finishedkey,
  1503. hashsize);
  1504. if (mackey == NULL) {
  1505. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1506. goto err;
  1507. }
  1508. if (!sign)
  1509. binderout = tmpbinder;
  1510. bindersize = hashsize;
  1511. if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_get0_name(md), sctx->libctx,
  1512. sctx->propq, mackey, NULL) <= 0
  1513. || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
  1514. || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
  1515. || bindersize != hashsize) {
  1516. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1517. goto err;
  1518. }
  1519. if (sign) {
  1520. ret = 1;
  1521. } else {
  1522. /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
  1523. ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
  1524. if (!ret)
  1525. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BINDER_DOES_NOT_VERIFY);
  1526. }
  1527. err:
  1528. OPENSSL_cleanse(binderkey, sizeof(binderkey));
  1529. OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
  1530. EVP_PKEY_free(mackey);
  1531. EVP_MD_CTX_free(mctx);
  1532. return ret;
  1533. }
  1534. static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent)
  1535. {
  1536. if (!sent)
  1537. return 1;
  1538. if (!s->server) {
  1539. if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  1540. && sent
  1541. && !s->ext.early_data_ok) {
  1542. /*
  1543. * If we get here then the server accepted our early_data but we
  1544. * later realised that it shouldn't have done (e.g. inconsistent
  1545. * ALPN)
  1546. */
  1547. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EARLY_DATA);
  1548. return 0;
  1549. }
  1550. return 1;
  1551. }
  1552. if (s->max_early_data == 0
  1553. || !s->hit
  1554. || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  1555. || !s->ext.early_data_ok
  1556. || s->hello_retry_request != SSL_HRR_NONE
  1557. || (s->allow_early_data_cb != NULL
  1558. && !s->allow_early_data_cb(SSL_CONNECTION_GET_SSL(s),
  1559. s->allow_early_data_cb_data))) {
  1560. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  1561. } else {
  1562. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1563. if (!tls13_change_cipher_state(s,
  1564. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  1565. /* SSLfatal() already called */
  1566. return 0;
  1567. }
  1568. }
  1569. return 1;
  1570. }
  1571. static int final_maxfragmentlen(SSL_CONNECTION *s, unsigned int context,
  1572. int sent)
  1573. {
  1574. /*
  1575. * Session resumption on server-side with MFL extension active
  1576. * BUT MFL extension packet was not resent (i.e. sent == 0)
  1577. */
  1578. if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1579. && !sent ) {
  1580. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_BAD_EXTENSION);
  1581. return 0;
  1582. }
  1583. if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) {
  1584. s->rlayer.rrlmethod->set_max_frag_len(s->rlayer.rrl,
  1585. GET_MAX_FRAGMENT_LENGTH(s->session));
  1586. s->rlayer.wrlmethod->set_max_frag_len(s->rlayer.wrl,
  1587. ssl_get_max_send_fragment(s));
  1588. }
  1589. return 1;
  1590. }
  1591. static int init_post_handshake_auth(SSL_CONNECTION *s,
  1592. ossl_unused unsigned int context)
  1593. {
  1594. s->post_handshake_auth = SSL_PHA_NONE;
  1595. return 1;
  1596. }
  1597. /*
  1598. * If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
  1599. * extension, servers MUST abort the handshake.
  1600. */
  1601. static int final_psk(SSL_CONNECTION *s, unsigned int context, int sent)
  1602. {
  1603. if (s->server && sent && s->clienthello != NULL
  1604. && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
  1605. SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
  1606. SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
  1607. return 0;
  1608. }
  1609. return 1;
  1610. }
  1611. static int tls_init_compress_certificate(SSL_CONNECTION *sc, unsigned int context)
  1612. {
  1613. memset(sc->ext.compress_certificate_from_peer, 0,
  1614. sizeof(sc->ext.compress_certificate_from_peer));
  1615. return 1;
  1616. }
  1617. /* The order these are put into the packet imply a preference order: [brotli, zlib, zstd] */
  1618. static EXT_RETURN tls_construct_compress_certificate(SSL_CONNECTION *sc, WPACKET *pkt,
  1619. unsigned int context,
  1620. X509 *x, size_t chainidx)
  1621. {
  1622. #ifndef OPENSSL_NO_COMP_ALG
  1623. int i;
  1624. if (!ossl_comp_has_alg(0))
  1625. return EXT_RETURN_NOT_SENT;
  1626. /* Server: Don't attempt to compress a non-X509 (i.e. an RPK) */
  1627. if (sc->server && sc->ext.server_cert_type != TLSEXT_cert_type_x509) {
  1628. sc->cert_comp_prefs[0] = TLSEXT_comp_cert_none;
  1629. return EXT_RETURN_NOT_SENT;
  1630. }
  1631. /* Client: If we sent a client cert-type extension, don't indicate compression */
  1632. if (!sc->server && sc->ext.client_cert_type_ctos) {
  1633. sc->cert_comp_prefs[0] = TLSEXT_comp_cert_none;
  1634. return EXT_RETURN_NOT_SENT;
  1635. }
  1636. /* Do not indicate we support receiving compressed certificates */
  1637. if ((sc->options & SSL_OP_NO_RX_CERTIFICATE_COMPRESSION) != 0)
  1638. return EXT_RETURN_NOT_SENT;
  1639. if (sc->cert_comp_prefs[0] == TLSEXT_comp_cert_none)
  1640. return EXT_RETURN_NOT_SENT;
  1641. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_compress_certificate)
  1642. || !WPACKET_start_sub_packet_u16(pkt)
  1643. || !WPACKET_start_sub_packet_u8(pkt))
  1644. goto err;
  1645. for (i = 0; sc->cert_comp_prefs[i] != TLSEXT_comp_cert_none; i++) {
  1646. if (!WPACKET_put_bytes_u16(pkt, sc->cert_comp_prefs[i]))
  1647. goto err;
  1648. }
  1649. if (!WPACKET_close(pkt) || !WPACKET_close(pkt))
  1650. goto err;
  1651. sc->ext.compress_certificate_sent = 1;
  1652. return EXT_RETURN_SENT;
  1653. err:
  1654. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1655. return EXT_RETURN_FAIL;
  1656. #else
  1657. return EXT_RETURN_NOT_SENT;
  1658. #endif
  1659. }
  1660. #ifndef OPENSSL_NO_COMP_ALG
  1661. static int tls_comp_in_pref(SSL_CONNECTION *sc, int alg)
  1662. {
  1663. int i;
  1664. /* ossl_comp_has_alg() considers 0 as "any" */
  1665. if (alg == 0)
  1666. return 0;
  1667. /* Make sure algorithm is enabled */
  1668. if (!ossl_comp_has_alg(alg))
  1669. return 0;
  1670. /* If no preferences are set, it's ok */
  1671. if (sc->cert_comp_prefs[0] == TLSEXT_comp_cert_none)
  1672. return 1;
  1673. /* Find the algorithm */
  1674. for (i = 0; i < TLSEXT_comp_cert_limit; i++)
  1675. if (sc->cert_comp_prefs[i] == alg)
  1676. return 1;
  1677. return 0;
  1678. }
  1679. #endif
  1680. int tls_parse_compress_certificate(SSL_CONNECTION *sc, PACKET *pkt, unsigned int context,
  1681. X509 *x, size_t chainidx)
  1682. {
  1683. #ifndef OPENSSL_NO_COMP_ALG
  1684. PACKET supported_comp_algs;
  1685. unsigned int comp;
  1686. int already_set[TLSEXT_comp_cert_limit];
  1687. int j = 0;
  1688. /* If no algorithms are available, ignore the extension */
  1689. if (!ossl_comp_has_alg(0))
  1690. return 1;
  1691. /* Don't attempt to compress a non-X509 (i.e. an RPK) */
  1692. if (sc->server && sc->ext.server_cert_type != TLSEXT_cert_type_x509)
  1693. return 1;
  1694. if (!sc->server && sc->ext.client_cert_type != TLSEXT_cert_type_x509)
  1695. return 1;
  1696. /* Ignore the extension and don't send compressed certificates */
  1697. if ((sc->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
  1698. return 1;
  1699. if (!PACKET_as_length_prefixed_1(pkt, &supported_comp_algs)
  1700. || PACKET_remaining(&supported_comp_algs) == 0) {
  1701. SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1702. return 0;
  1703. }
  1704. memset(already_set, 0, sizeof(already_set));
  1705. /*
  1706. * The preference array has real values, so take a look at each
  1707. * value coming in, and make sure it's in our preference list
  1708. * The array is 0 (i.e. "none") terminated
  1709. * The preference list only contains supported algorithms
  1710. */
  1711. while (PACKET_get_net_2(&supported_comp_algs, &comp)) {
  1712. if (tls_comp_in_pref(sc, comp) && !already_set[comp]) {
  1713. sc->ext.compress_certificate_from_peer[j++] = comp;
  1714. already_set[comp] = 1;
  1715. }
  1716. }
  1717. #endif
  1718. return 1;
  1719. }
  1720. static int init_server_cert_type(SSL_CONNECTION *sc, unsigned int context)
  1721. {
  1722. /* Only reset when parsing client hello */
  1723. if (sc->server) {
  1724. sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1725. sc->ext.server_cert_type = TLSEXT_cert_type_x509;
  1726. }
  1727. return 1;
  1728. }
  1729. static int init_client_cert_type(SSL_CONNECTION *sc, unsigned int context)
  1730. {
  1731. /* Only reset when parsing client hello */
  1732. if (sc->server) {
  1733. sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1734. sc->ext.client_cert_type = TLSEXT_cert_type_x509;
  1735. }
  1736. return 1;
  1737. }